RE: A question about modem security

[Steven Trewick <STrewick () joplings co uk>]

> I have read somewhere that dial-up questions using
> modems are inherently insecure. Can somebody please
> explain to me why it is so?
>
> Thanks,

It isn't so. What was your source ?

A dial up modem connection is no more 'inherently' insecure than 
any other kind of connection.

 
> > Due to the lack of encryption on the  connection. Which is 
> > caused by the
> > limited amount of packets than can be sent over dial up speeds.

This is simply not true, you can send as many packets as you like,
(although obviously you will incur a time penalty), but aside from 
that, not having encryption enabled makes dial up lines no more
'inherently' insecure than any other unencrypted connection
(EG nearly all of them).  Encryption is most certainly not the issue.



> > The insecurity comes from the fact that anyone is capable of 
> > connecting
> > to the modem simply by dialling it and then can brute force there way
> > onto a system. Also most modems are left on systems by
> > non-administrators (ie some guy in the off) who do not make 
> > any attempt
> > to secure them.


By and large, that isn't true either.  Firstly, lets look at typical 
deployment roles for a modem.  

1) Client dial out 

   In this scenario, a user has a modem attached to her machine which
   she uses to dial out to connect to remote machines (eg her ISP)

   Firstly, by far the majority of modems will not pick up incoming 
   calls out of the box.  This has been the default on every modem I 
   have seen since the 80s from my first 1200 baud to my last 56kbps

   Secondly, even assuming the modem *was* configured to autoanswer,
   either by default or because the user changed the setting,
   it makes no difference if there no terminal software on
   the machine capable of accepting an incoming connection.

   Thirdly, again, even if the modem is configured to answer inbound
   calls, an 'attacker' would have to find it.  This involves a 
   social engineering attack or a wardial.  In the first case, the
   'attacker' must be aware of the existence of the modem and have
   some motivation to dial into it.  Its feasible that a modem would 
   be found by a random wardial*[1], but if it was, the above two issues 
   will prevent anything other than the inference that there is a 
   modem connected system, even in the worst case scenario.

   All of this assumes that the line the modem is on is directly
   available to outside callers.  While this is (probably) true of a 
   domestic line, not all organisations offer all their staff a DDI*[2]
   number.

2) Server dial in.

   In this scenario, the modem will pick up inbound calls by default,
   and will route them to some form of accepting software on the remote 
   host. (EG a terminal program or a PPP login, etc)

   In this scenario, the first two mitigations from above will not 
   protect us, as we are allowing dial ins to connect to our back end 
   systems.

   However, the likelihood of someone being able to 'simply dial in and 
   brute force' *should* most certainly be mitigated by the fact that 
   our mission critical host is logging such things, and will alert
   our eagle eyed sysadmins to the problem, should such a thing occur.


There are certainly other things to consider, such as ease of physical
access to telecomms infrastructure (cables, junction boxes, etc) on the
path between nodes, but these factors exist for any method of 
communications.

In a worst case scenario, dangerously configured, open modem connections 
most certainly are a security nightmare. However, there is no particular
'inherent' reason that this should be so.


HTH



   
*[1] this is less true outside the US, since many countries have no
free local calls, thus presenting a significant barrier to entry for
would be wardiallers.

*[2] Direct Dial Inward, the ability of the PBX in your org to
forward outside calls direct to your desk phone as though it was
really an external facing line with its own telephone number.









</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------